Nelson B wrote:
I think, much of the above confusion originated from using mozilla's certificate manager and certutil concurrently. After quitting the browser and dumping cert*.db with certutil my three certs showed up asGerd Schering wrote:1) I have three different certs from two distinct CAs. If I dump cert7.db with ./certutil -L -d $HOME/.mozilla/gerd4000/nzt72va1.slt only two show up: [EMAIL PROTECTED] ,p, [EMAIL PROTECTED] u,pu,u
How did you get this cert (or these certs) into the cert DB? Did you get it from an on-line certificate authority via the mozilla browser?
Did you import it in a PKCS 12 file (.p12) or some other type of file?
If you imported it, did the file from which you imported it specify the
"nickname"
(a.k.a. "friendly name") of the cert as being just the email address?
It appears that what you have here is a cert DB with two records (a "nickname"
record and an SMIME profile record) that point to the same cert and have the
same
names.
Generally, nickname records should not have just the email address as the name. SMIME profiles always have just the email address as the name.
When the nickname and the SMIME profile have the exact same name, certutil uses
the first one it finds.
A nickname record can point to multiple certs with the exact same subject name,
but not to multiple certs with different subject names. So, if you have
multiple
certs with different subject names, but the same email address, and the
nicknames
for all those certs are just the email address, the nickname record can only
point
to one of those certs. The others may be in the database, but the nickname
record
cannot point to them all. So, nicknames should contain enough of the subject
name
attributes to be unique, not merely the email address.
What do the u's in the second line mean?
The u's mean that your key3.db file has the private key that goes along with
this certificate. I believe that information is generally associated with
nickname records, and not with SMIME profiles.
If I try to examine the certs with ./certutil -L -n [EMAIL PROTECTED] -d HOME/.mozilla/gerd4000/nzt72va1.slt only one cert gets displayed. Where are the others?
I think this is because all the certs were given the same nickname, which was
just the email address. If each cert was given a different nickname, they would
each appear on separate lines.
The question is, what piece of software caused all the certs to have the name
nickname? That should be fixed, IMO.
Imported Certificate #4 u,pu,u
Imported Certificate u,u,u
Imported Certificate #2 u,u,u
which also shows, they were imported via pkcs12 files.
But I still have to different certs for another person, which came by email and show up as
[EMAIL PROTECTED] ,p,
[EMAIL PROTECTED] ,p,
They seem to have the same nickname. Looking at them again using mozilla's certificate manager, shows that one of them is expired.
Gerd
